Last Updated on July 23, 2018 by David Bryan
If you have a WordPress, Magento, Joomla website or eCommerce store, or in fact any website, GDPR comes into force from 25th May 2018 across the EU and will forever change the way that organisations need to manage data and privacy. One aspect of GDPR compliance is managing the website, which as an important external facing component of an organisations communication needs to be GDPR-ready. While we’re working hard here at Opace to make our own site GDPR-ready, we thought we provide some guidance on the various implications that GDPR brings to web development, specifically for platforms such as WordPress, Joomla and Magento.
What Is GDPR and What Are the Penalties for Not Complying?
GDPR stands for General Data Protection Regulation and is a set of guidelines, which act as a legal framework for the collection and processing of personal data residing within the EU (European Union). The GDPR applies to all organisations throughout the EU, which work with the data of EU citizens (almost 100% of organisations – large or small). The GDPR defines the right to privacy of the individual and also gives guidelines for data management, with fines imposed for data breaches. For more information on GDPR penalties and fines, please see: https://www.itgovernance.co.uk/dpa-and-gdpr-penalties and https://www.gdpr.associates/data-breach-penalties
Documentation, Policy & Compliance Statement Updates for GDPR
There are many documentation updates necessitated by GDPR. Below, we are only covering the common forms of documents (policies and compliance statements) which impact websites. In addition, many internal documents will need to be updated. The main website documents to update in readiness for GDPR are:
2) GDPR Compliance Statement
- Larger organisations – this excellent example from Civica, or
- Data-centric organisations:
3) Copyright Notice
Some additional text should be added to the Copyright Notice to reflect the fact that all copy on the website is fully GDPR compliant. This entails that all copy does not breach privacy rights of individuals, for which a check of previously published content should be made. View Opace’s Copyright Notice for an example of what is required.
4) Data Retention Policy
Where there is a data retention policy published on the website this needs to be updated to reflect GDPR or removed from the website. For most organisations, it isn’t necessary to publish the data retention policy online, but where it is, the policy needs to integrally include GDPR. View examples from D &K Accountants and Iris Connect for mapping data retention policy to GDPR compliance.
There may be additional policies published on your website which impact GDPR. For help and advice, contact Opace on 0121 222 5757. As a part of our service, we can revise your public facing content to ensure it is fully GDPR compliant, although this would necessitate some organisational internal processes to be revised too.
Software Updates for GDPR
Whether you have a WordPress, Magento, Joomla website or other use another platform, there are also many different software updates necessitated by GDPR. The list below provides some of the most common GDPR software updates, which are necessary. Read through the list and see if your organisation complies?
6) Website HTTPS certified
With an HTTPS connection, all data is encrypted, whereas with HTTP all data could “potentially” be intercepted via a persistent hacker. Imagine if this data was your credit card or personal information, which could be used for ID theft?
Therefore, for GDPR compliance as a minimum, every website needs to be https:// protocol enabled. This means all data communicated between the website and the user browser is encrypted via SSL (secure socket layer) or TLS (transport layer security).
“A free, automated, and open certificate authority (CA), run for the public’s benefit”.
So there’s really no excuse for any website not to be HTTPs certified now.
7) Pseudonymisation and encryption of personal data
The pseudonymisation and encryption of personal data is a debate which is likely to rage on. At the moment it is only a recommendation that data is pseudonymised or encrypted, rather than a legal requirement. For now, it is certainly better to ensure that all data on a website is pseudonymised or encrypted to prevent data privacy breaches.
8) WordPress, Magento and Joomla plugins and extensions
In 2018, plugins are “all the rage”, why pay to recreate the wheel when plugins will provide what you need at a fraction of the price? This principle also applies to GDPR where software developers have created special plugins to help organisations with GDPR compliance.
Here at Opace, we specialise in website development for WordPress, WooCommerce, Magento eCommerce (v1 and v2) and Joomla. As such, we thought it would be useful to share links for the systems we work closely with:
Here are some useful GDPR extensions for Joomla:
Here are some useful GDPR extensions listed on Magento Marketplace for Magento 2.
WordPress and WooCommerce
Here are some useful GDPR plugins listed on the WordPress plugins directory:
Being one of the most widely used platforms on the planet, you will also find GDPR plugins, solutions and services for WordPress elsewhere on the Web, for example:
Here are some specific cookie consent plugins, all with good reviews:
Two useful links, one specifically relating to WooCommerce and the other from the creator of our favourite WordPress theme Divi, can be found below:
It’s still very early days, so if you can’t find anything suitable above or you can’t find a well reviewed extension or plugin, that may very well change over the coming months.
9) Audit existing plugins and extensions
As well as the possibility of installing brand new plugins to enable GDPR compliance it is also necessary to audit existing plugins and extensions too. There is every chance that some of your existing plugins will not be GDPR compliant or may be under development to become compliant.
As part of a GDPR audit, all organisations need to check plugin functionality and verify that it complies with GDPR. In cases where the plugin fails to protect data privacy, the plugin needs to be removed and replaced with a plugin which fully meets the requirements.
10) Removal of eCommerce client data
The GDPR clearly states that personal data should not be retained longer than is necessary. This creates some clear issues for some eCommerce businesses using platforms like Magento and WooCommerce. An eCommerce website is likely to collect personal data as a part of the transaction and will pass it to a payment gateway, CRM, or other third-party system to complete the transaction.
This is personally identifiable data, therefore, needs to be deleted once its purpose has been served. The GDPR is not specific about timeframes but Opace would suggest between 30-60 days is a reasonable maximum period for this data to be held (by the website system). Therefore, web processes need to be developed to delete the data after an agreed period of time, it is better to automate this process rather than leave it to a manual user action.
In situations where the organisation wants to retain some or all of the eCommerce data, they will need to either obtain consent from the customer and/or find legal grounds for retention of the data in order to remain compliant with GDPR.
11) Cookie opt-in consent
Clearly, not all cookies are used in a way to identify the user (e.g. performance enhancement cookies), but many do. These cookies can be used in areas such as advertising, analytics, chat and surveys, etc.
Where cookies are deemed to be identifiable to an individual and their device, then this under GDPR is considered to be personal data. To achieve GDPR, the organisation will either need to:
- Stop using the personally identifiable cookies, or
- Find methods or solutions to collect, process and retain data within the requirements of GDPR
Here are some rules surrounding cookie implementation for software:
Implied consent is not consent
The only valid form of consent is through a user affirmative action. If no opt-in mechanisms are available, there is no validity of consent. Options could include:
- Ticking an opt-in box, or
- Choosing opt-in through settings in their user profile, or
- Another mechanism, which show consent has been given
Using this site assumes consent is not consent
Visitors must be able to opt-in as well as opt-out for cookies
It must be possible to opt-in to accepting cookies but it must also be possible to opt-out (having previously opted-in) of accepting cookies.
12) Website comments handling
Website comments usually leave some sort of personally identifiable information (e.g. Name, Social Media profile, Job Title, etc.). As this data is identifiable to an individual, opt-in consent will need to be attained, it can’t be assumed that just because the comment is left that the user agrees for their personal data to be shared.
Comments will most likely be managed through the website platform or a plugin, which will typically manage any comments added and ensure that opt-in consent is attained. If not, the content can be added anonymously.
13) Active Opt-in Forms – Default to “Blank” or “No”
Any opt-in form of functionality throughout the website must either default to “blank” or “no”. This could, for example, be a subscription to a newsletter or to receive blog post updates, etc.
Opt-in functionality must NEVER default to yes, it must default to “no” or just be blank. The website must sitewide never assume that visitors are opting in by default.
14) Terms Acceptance and Permission to Contact are Separate
15) Contact Permission by Type – “Granular Consent”
Where visitors are given options for communication, there need to be separate multi-tick options (also called “granular consent”). For example, where a visitor accepts communication, there needs to be separate opt-in acceptance for phone/mobile/SMS/email. There can’t be a catch-all where one consent allows communication to every channel. Instead, communication can only be to specifically subscribed opted-in channels of communication.
16) Unsubscribe option
There must be an option for all opted-in subscribers to unsubscribe from newsletters, etc. This needs to be clear, simple to use and not obviously hidden.
We’re not covering the GDPR compliance implications for email/newsletter marketing in this guide but here are some useful links:
17) Multi-party data consent
In some circumstances, it may be ideal for an organisation to share data with multiple parties, e.g. other subsidiaries of a group or to selected external parties. In cases such as this, the software implementation must be that for each party where data is shared, there needs to explicit and specific opt-in consent options. This could be implemented for example through the use of radio buttons, with a data sharing consent option for each party.
GDPR Website Compliance Audit
Are you concerned about GDPR and want to receive professional advice about your website, where it complies and where it fails to meet the requirements of GDPR? Why not speak to Opace about a GDPR website compliance audit? We can audit your entire site and provide a set of recommendations, which need to be put right to achieve compliance. In many cases, we may be able to fix the issues, provided we have access to your system or we can advise your own developers on what is required. If you want more information about this service give Opace a call and we can tailor a solution to meet your specific requirements.
We have come to the end of our guide to the GDPR Compliance for WordPress, Joomla and Magento eCommerce. We hope you have enjoyed this article and found it valuable in your mission to become GDPR compliant! For a friendly chat and helpful advice about how Opace can help your organisation to become GDPR compliant why not call us today on 0121 222 5757?